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DETAILED ACTION 

1 . Examiner acknowledges and considers the formal drawing received. on 
03/08/2001. 

Claim Rejections - 35 USC § 102 

2. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

3. Claims 1,18, 23, and 27 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Bachman et al, US Patent No. 5907621, hereinafter "Bachman". 

4. As per claims 1,18, and 23, Bachman discloses "a method for determining 
whether to allow access to a protected resource from a server, comprising the steps of: 
at a client, responsive to a request to retrieve the protected resource, generating a one- 
time only use piece of data (the random number is the unique and the non-repeat piece 
of data for the session cookie) which can be used to authenticate that the request is 
bound to a given identity contained in a cookie previously set by an authentication 
server; Forwarding the piece of data to the server in the request; at the server, 
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determining whether the piece of data is valid" in (Col 2 lines 10-25, and Col 3 line 34 to 
Col 4 line 10); and Bachman teaches "if the piece of data is valid, executing an access 
control decision to determine whether to invoke the request" in (Col 4 lines 19-28). 

5. As per claim 27, Bachman teaches "the computer program product as described 
in claim 23 further including code for saving the timestamp and the authentication token 
in a data structure to prevent replay of the authentication token" in (Col 5 lines 30-64). 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person, having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

7. Claims 11 and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Bachman. 

8. As per claims 1 1 , Bachman discloses "a method of accessing a protected 
resource at a server, comprising the steps of: at the server, receiving a request for a 
URL (hypertext link in Col 3 lines 57-60) together with the one-time use token 
associated with the request; determining whether the authentication token is valid; if the 
authentication token is not valid, returning to a requesting client an access denied 
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message; and if the authentication token is valid, executing an access decision function 
to determine whether to allow access to the protected resource" in (Col 3 line 35 to Col 
4 line 10 and Col 5 line 30 to Col 6 line 9). However, Bachman does not teach the 
request include an identity cookie and an authentication token specifically. 
Nevertheless, Bachman teaches the token does have both identity and authentication 
information necessary to validate the identity of the user and the one-time use token. 
The Ek(f(ID), R, I) is the one-time use authentication token. The f(ID) is to authenticate 
the user using the identity (Col 35-50). Therefore, it would have been obvious at the 
time of the invention was made for one having ordinary skill in the art to realize that 
Bachman invention does carry the steps for authentication utilizing one token which 
includes both identity token and the authentication information. 

9. As per claim 14, Bachman teaches "the method as described in claim 1 1 
wherein the identity cookie includes a userid, an optional access control token, and a 
URL pointing to a location that includes a script" in (Col 5 lines 30-50, and Col 5 line 64 
to Col 6 line 10). 

10. Claims 2-4, 12-13, 20-22, and 24-25 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Bachman in view of Davis et al (US-6064736) and further 
in view of Payne et al (US-5715314). 
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11. As per claim 2, Bachman discloses the method as described in claim 1 , further 
Bachman discloses the one-time only use piece of data is generated by applying a 
given function to a nonce generated by the a server, and the client's identity (Col 3 lines 
34-48). However, Bachman does not teach that the piece of data includes a URL of the 
protected resource, a timestamp, and the server identity. Nevertheless, Davis et al 
teach the use of hashing the nonce from the server, and the PW (password of the user 
which is the client id) with the server's name (Server ID) to create the secretHash key 
(Col 6 lines 1-5) for authentication; And Payne et al teach the use of URL hashing (Col 
5 lines 40-45) for authentication. Therefore, it is obvious at the time of the invention was 
made for one having ordinary skill in the art to combine Bachman, Linden et al, Davis et 
al, and Payne et al's teaching to strengthening the security of the piece of data usage 
by using the timestamp and a non-repeating random number with the URL, userid, and 
server id. Further more, the use of a nonce and timestamp together will definitely 
restrict the piece of data usage to only one time. 

1 2. As per claims 3, 12, 20, and 24, Bachman, Linden et al, and Davis et al disclose 
the method as described in Claims 2, 1 1 , and 18. However, Bachman, Linden et al, and 
Davis et al do not teach the function get calculated with a given key to become the 
Message authentication code (MAC) for authentication. Nevertheless, Payne et al do 
teach the feature. Payne et al disclose the invention "Network sales system" which 
uses the key to define the hash function of the information in the payment URL to 
generate the URL authenticator (Col 5 lines 40-45). The URL authenticator is the 
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message authentication code (MAC). Adding the nonce and the timestamp to generate 
the MAC will definitely prevent the replay of the cookie; The URL can be interpreted as 
the server identity and the client identity must also necessary in-order to authenticate 
the server and to distinct the originality of the cookie. Therefore, It is obvious at the time 
of the invention was made for one having ordinary skill in the art to understand that the 
combination of the teaching above will increase the security for accessing a protected 
resource. It is also obvious that a program code or a script in a computer medium is 
necessary to execute the calculation. 

13. As per claims 4, 13, 21-22, and 25, Bachman teaches the method as described 
in claim 3 wherein the given key is a symmetric key ksc that is binds the piece of data to 
the user identity contained in the identity cookie (Col 5 lines 30-62). 

14. Claims 5 and 6 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Bachman in view of Linden et al, further in view of Davis et al, further in view 
of Payne et a/, further in view ofJuels, and further in view of Gurevich et al (US- 
2002/0178370). 

15. As per claim 5, Bachman, Linden et al, Davis et al, Payne et al, and Juels 
discloses the method as described in Claim 4. However, they do not teach the 
symmetric key that is generated by applying a one-way hash function to a shared 
client-server key kc, the server identity, and a nonce from the server. Nevertheless, 
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Gurevich et al completely teach this method and the use of it as a symmetric key (Par 
0068 in the mid paragraph). The token key and the PIN are used as an encryption key 
between the server and the client. The SKP is the server side key component 
generated by a random number engine, at the same is the server key or can be 
interpreted as server identity (Para 0068). It would be obvious at the time of the 
invention was made for one having ordinary skill in the art to combine the symmetric key 
generation method of Gurevich et together with inventors in claim 4. The incorporation 
will successfully create a strong and unique key to bind the authentication data securely 
and then transmit it to the server for authentication (Para 0069). 

16. As per claim 6, Bachman, Linden et al, Davis et al, Payne et al, Jues and 
Gurevich et al disclose the method as described in Claim 5. The feature of the shared 
client-server key generated by applying a one-way hash function to a user password is 
completely anticipated by Davis et al (Col 2 lines 15-25). Davis et al teach the use of 
hashed password to establish a session between the server and the client to ensure 
unwanted intruders. It is obvious at the time of the invention was made for one having 
ordinary skill in the art to recognize that the feature is necessary to incorporate with 
authentication mechanism to a network for strengthening the security. 

17. Claims 15, and 26 are rejected under 35 U.S.C. 103(a) as being unpatentable 
Bachman in view of Linden et al, further in view of Davis et al, further in view of 
Payne et al (US-5715314), and further in view ofJuels (US-6446052). 
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18. As per claims 15 and 26, Bachman, Linden et al, Davis et al, Payne et al and 
Juels disclose the method as described in Claims 12 and 25 wherein the step of 
determining whether the authentication token is valid includes the steps of: calculating a 
message authentication code; evaluating whether the message authentication code is 
the same as the MAC in the authentication token. It is obvious at the time of the 
invention was made for one having ordinary skill in the art to understand that the 
validation steps of authentication token must be the backward process of the 
engineering the token in-order to understand the received information. Therefore, it is 
obviously exist in the system. 

19. Claims 16-17, and 27 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Bachman and Linden et al (US-6360254). 

20. As per claims 16, 17, and 27, Bachman disclose the computer program product 
as described in Claim 23. Howerver, Bachmando not further including code for saving 
the timestamp and the authentication token in a data structure to prevent replay of the 
authentication token. Nevertheless, Linden et al disclose the "System and method for 
providing secure URL-Based access to private resources" invention that completely 
teaches the feature (Col 6 lines 51-55). The token here is generated either of a 
timestamp, server identification (hardware device pseudo-random sequence of value 
(Col 5 lines 2-5)), userid, timestamp, or even a random number (Col 4 lines 63-67). It is 
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obvious at the time of the invention was made for one having ordinary skill in the art to 
incorporate the feature in the claimed invention for security purpose. 

21. Claims 7-10, and 19 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Bachman in view of Grantges, Jr. etal, US Patent No 6510464, 
hereinafter "Grantges". 

22. As per claims 7-1 0, Bachman discloses the method as described in claim 1 
wherein the cookie includes a userid (Col 5 line 35). However, Bachman does not 
discloses the cookie includes the server identity, a URL pointing to a location at the 
server that includes a script, an access control token, code for verifying the piece of 
data. Nevertheless, Grantges does teach a userid, the server identity, and a URL 
pointing to a location at the server that includes a script (Col 10 lines 6-25), and an 
access control token (Col 10 lines 11-13). The authentication cookie (Col 9 line 55) 
includes a user digital certificate (userlD) and a range of URL's for which the cookie is 
valid (Col 9 lines 62-65). The URL is also use to identify the server (Server Identity) 
(Col 10 line 51). The script is located on the proxy server, which is in the same domain 
or network as the application server or called protected resource (Col 8 lines 15-25), 
also called authorization plug-in (Col 10 line 59-61); and its job is to validate the 
authentication cookie. The access control token is referred as an applications list 
cookie (Col 10 line 15), which includes a list of authorized application for the user to 
access. Therefore, It would have been obvious at the time of the invention was made 
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for one having ordinary skill in the art to modify Bachman's invention to include the 
same system as Grantges' in their invention to carry out an authorization process for the 
protected resource. 

23. As per claim 19, Bachman discloses the computer program product as described 
in Claim 18. However, Bachman does not teach a signed applet for installing the code 
in the client computer. Nevertheless, Grantges does teach this feature in (Col 4 lines 
33-65). It would have been obvious at the time of the invention was made for one 
having ordinary skill in the art to modify Bachman's invention to include the signed 
applet for installing the code in the client computer to have a capability to view the 
protected resource according to the format. 

24. Claim 28 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Bachman in view of Davis et al, further in view of Gurevich et al, and further in 
view of Payne et al. 

25. As per claim 28, Bachman teaches "a method for issuing an access request from 
a client browser to a server hosting a protected resource, wherein an identity cookie has 
been set on the client browser by an authentication server" in (Col 5 line 30 to Col 6 line 
10). However, Bachman does not teach what the method comprises of. Nevertheless, 
Payne et al disclose the "Network sales system" invention includes the uses a key 
shared by the merchant (server) and the operator (client) to generate the payment URL 
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authenticates (Message authentication code). The URL authenticator (MAC) includes a 
domain identifier (URL and time tracking mechanism to expire the cookie (which must 
also includes a timestamp) (Col 5 lines 26-46). Gurevich et al teach the authentication 
method that includes sending the encrypted data item (Para 0068) (Piece of data), 
which is also called authentication message (MAC) (Para 0057), with the unencrypted 
piece of data to the server for validity (Para 0068). The data item composes of the 
Identification (ID) (user ID) and the server side key (server ID). Gurevich et al also 
mention the user may arbitrary assign the identification data, which could be a 
timestamp (Para 0069). Davis et al teach of hashing the nonce from the server and 
client, and the password to create a key for decryption (Col 3 lines 65-67). Therefore, it 
would have been obvious at the time of the invention was made for one having ordinary 
skill in the art to modify the invention to include the MAC in Payne et al's invention, 
Gurevich et al's method of sending the MAC with the data items, comprising the 
timestamp, server ID, user ID, and a nonce, which is taught be Davis et al, to the server 
with the ID cookie in Bachman's teaching for validation (Col 3 lines 43-59). The 
incorporation will obviously create a non-replay cookie (caused by the timestamp and 
the nonce) and a strong authentication process which creates great obstacle for 
intruders. 

26. Claims 29-35 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Bachman in view of Davis et al, further in view of Gurevich et al, further in 
view of Payne et al, and further in view of Juels. 
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27. As per claim 29, Bachman, Davis et al, Gurevich et al, and Payne et al disclose 
the method as described in Claim 28. However, they do not teach the generating of the 
MAC upon each request for the protected. Nevertheless, Juels does teach the method 
clearly in the "Digital Coin Tracing Using trustee tokens" invention (Juels, Col 8 lines 27- 
43). Therefore, it is obvious at the time of the invention was made for of ordinary skill in 
the art to incorporate the method to ensure the authenticity of the message 
authentication code. 

28. As per claim 30, Bachman, Davis et al, Gurevich et al, and Payne et al disclose 
the method as described in Claim 28. However, Bachman, Davis et al, Gurevich et al, 
and Payne et al do not teach the method using the symmetric key to binds the MAC to 
the user identity. Nevertheless, Juels discloses the method clearly (Col 7 lines 14-26 
and Col 8 line 3). The user identity is the IDv, and the MAC (Col 8 line 3) is the trustee 
token Mi or coin (Col 7 lines 41-44). In Col 7 lines 14-26, Juels specifically teach the 
mapping of a user's identity to the digital coin (MAC) using the symmetric key 
encryption. It is obvious at the time of the invention was made to one of ordinary skill in 
the art to implement the same method of Juels with Bachman, Davis et al, Gurevich et 
al, and Payne et al to distinguish and identify each MAC when authenticate and at the 
same increase the security to prevent imposter. 
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29. As per claim 31, Bachman, Davis et al, Gurevich et al, and Payne et al disclose 
the method as described in Claim 30. However, they do not teach the symmetric key 
that is generated by applying a one-way hash function to a shared client-server key kc, 
the server identity, and a nonce from the server. Nevertheless, Gurevich et al 
completely teach this method and the use of it as a symmetric key (Par 0068 in the mid 
paragraph). The token key and the PIN are used as an encryption key between the 
server and the client. The SKP is the server side key component generated by a 
random number engine, at the same is the server key or can be interpreted as server 
identity (Para 0068). It would be obvious at the time of the invention was made for one 
having ordinary skill in the art to combine the symmetric key generation method of 
Gurevich et together with inventors in claim 4. The incorporation will successfully create 
a strong and unique key to bind the authentication data securely and then transmit it to 
the server for authentication (Para 0069). 

30. As per claim 32, Bachman, Davis et al, Gurevich et al, and Payne et al disclose 
the method as described in Claims 5 and 31 . The feature of the shared client-server 
key generated by applying a one-way hash function to a user password is completely 
anticipated by Davis et al (Col 2 lines 15-25). Davis et al teach the use of hashed 
password to establish a session between the server and the client to ensure unwanted 
intruders. It is obvious at the time of the invention was made for one having ordinary 
skill in the art to recognize that the feature is necessary to incorporate with 
authentication mechanism to a network for strengthening the security. 
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31 . As per claims 33 and 34, Bachman, Davis et al, Gurevich et al, and Payne et al 
disclose the method as described in Claim 28. Bachman also explicitly teach the cookie 
includes a userid, the server identity, and a URL pointing to a location at the server that 
includes a script (Col 10 lines 6-25), and an access control token (Col 10 lines 11-13). 
The authentication cookie (Col 9 line 55) includes a user digital certificate (userlD) and 
a range of URL's for which the cookie is valid (Col 9 lines 62-65). The URL is also use 
to identify the server (Server Identity) (Col 10 line 51). The script is located on the proxy 
server, which is in the same domain, or network as the application server or called 
protected resource (Col 8 lines 15-25), also called authorization plug-in (Col 10 line 59- 
61 ); and its job is to validate the authentication cookie. The access control token is 
referred as an applications list cookie (Col 10 line 15), which includes a list of authorized 
application for the user to access. 

32. As per claim 35, Bachman, Davis et al, Gurevich et al, and Payne et al disclose 
the method as described in Claim 34 wherein the script includes code for identifying 
whether a MAC is valid (Juels, Col 7 lines 35-45). 

Response to Amendment 

Response to applicant's argument, claims 1-35 are pending. The previous grounds of 
rejection are withdrawn in view of the applicant's arguments in the amendment filed on 
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10/12/04. However, newly discovered prior art has necessitated new grounds of 
rejection. The new grounds of rejection are presented above. The delay in citation of 
the newly discovered prior art is regretted. 



Conclusion 

33. Any inquiry concerning this communication from the examiner should be directed 
to Linh Son whose telephone number is (571 )-271 -3856. 

34. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor Kim Y. Vu can be reached at (571)-272-3859. The fax numbers for this 
group are (703)-872-9306 (official fax). Any inquiry of general nature or relating to the 
status of this application or proceeding should be directed to the group receptionist 
whose telephone number is (571)-272-2100. 

35. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval IPAIR.I system. Status information for 
published applications may be obtained from either Private PMR or Public PMR. Status 
information for unpublished applications is available through Private PMR only. For 
more information about the PAIR system, see http://pzr-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 
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